Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7678
Views
20
Helpful
15
Replies

X-CSRF-TOKEN handling

Go to solution
mikoconn
Cisco Employee
Cisco Employee

‎02-05-2019 03:11 PM

Hi,

 

Trying to create an endpoint using the API while CSRF Check is enabled; everything works if that check is disabled.

 

Using Python3, sending a GET request first to 'fetch' the token and then feeding that back into the headers for a POST request to /ers/config/endpoint.

 

Here's my initial GET request and response that works:

 

GET /ers/config/endpointgroup/name/groupGreen HTTP/1.1
Host: 10.81.127.170:9060
Accept-Encoding: identity
accept: application/json
content-type: application/json
authorization: Basic [redacted]
cache-control: no-cache
X-CSRF-TOKEN: fetch
---------------------
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONIDSSO=9E81D20C04095E5C0F82668222D54193; Path=/; Secure; HttpOnly
Set-Cookie: APPSESSIONID=5AFA8F314D99A5921C61817BCF21997D; Path=/ers; Secure; HttpOnly
X-CSRF-Token: C883A27FBEA77E4BAAF85028FD0E229E
Pragma: no-cache
ETag: "D5755A00DC6F46C650D6B5D8E550DBE0"
Date: Tue, 05 Feb 2019 22:59:13 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 322

 

So I have my CSRF token to feed into the POST to add the endpoint: 

POST /ers/config/endpoint HTTP/1.1
Host: 10.81.127.170:9060
Accept-Encoding: identity
Content-Length: 183
X-CSRF-Token: C883A27FBEA77E4BAAF85028FD0E229E
accept: application/json
content-type: application/json
authorization: Basic [redacted]
cache-control: no-cache
------------------
Status: 404
Set-Cookie: JSESSIONIDSSO=C4AF34E0D41D8D0CEBC9309A0F7777E6; Path=/; Secure; HttpOnly
Set-Cookie: APPSESSIONID=E45F80818D77D32377B8F3F3C0351B97; Path=/ers; Secure; HttpOnly
X-CSRF-Token: Required
Content-Length: 0
Date: Tue, 05 Feb 2019 22:59:13 GMT

Why is my token not accepted?

 

Is this CSCvi80094? Not sure a 403 Forbidden would actually help me here.

 

Thanks,

Mike.

 

 

 

1 person had this problem
0 Helpful
15 Replies 15

Go to solution
maltroc
Beginner
Beginner

‎03-02-2022 09:00 AM - edited ‎03-02-2022 09:02 AM

I had the same issue. You need to handle the csrf token AND the cookie:

 

1) Fetch the token and save it, save the cookie as well

headers = {
'content-type': "application/json",
'accept': "application/json",
'authorization': encoded_auth_token,
'cache-control': "no-cache",
'X-CSRF-TOKEN': "fetch"
}

response = requests.request("GET", url, headers = headers)
my_token = response.headers['X-CSRF-Token']
my_cookie = response.cookies

2) Then do your POST API calls with the saved csrf token and the cookie:

 cookies = my_cookie
    
 headers = {
     'content-type': "application/json",
     'accept': "application/json",
     'authorization': encoded_auth_token,
     'cache-control': "no-cache",
     'X-CSRF-TOKEN': my_token
 }

payload = {}

response = requests.request("POST", url, headers = headers, data=json.dumps(payload), cookies=cookies)
print(response.content)

Voila.

Hope it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents